Stanford probes breach as attacks on university networks soar

Stanford University is telling all users of its network to change their passwords after an apparent security breach, the latest example of a growing cyber threat to the nation’s universities.

The university’s chief financial officer, Randall Livingston, e-mailed the university community advising people to make the change in wake of an “apparent breach of its information technology infrastructure similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a post at TechCrunch by Billy Gallagher, a Stanford student and co-president of the student body.

The university did not yet know the extent of the breach or whether any personal information had been taken, according to the post. Livingston also noted that Stanford does not conduct classified research.

Although the seriousness, or the source, of the breach is unknown, the apparent attack reflects a mounting problem for U.S. universities, which are built around the idea of sharing information but which get bombarded by tens of thousands of attack attempts a day. The New York Times reported recently that research universities are experiencing an exponential increase in cyberattacks, many of them believed to originate in China.

The attacks have been increasing in sophistication as well as in frequency, often going undetected, which is prompting university officials to reconsider the open nature of their networks.

“A university environment is very different from a corporation or a government agency, because of the kind of openness and free flow of information you’re trying to promote,” David J. Shaw, the chief information security officer at Purdue University, told the Times. “The researchers want to collaborate with others, inside and outside the university, and to share their discoveries.”

Some research universities work with government agencies on classified projects, but even those that don’t, like Stanford, still work on projects that produce patents and other intellectual property used in commercial, medical and academic fields. And intellectual property has become the prime target of many cyberattacks, officials say.

Last year, Gen. Keith Alexander, director of the National Security Agency, called online intellectual property theft “the greatest transfer of wealth in history,” costing U.S. companies $250 billion a year.

It also has become the primary goal of state-sponsored attacks, according to Toomas Hendrik Ilves, president of Estonia, home to NATO’s cyber defense center.

“We focus too much on the military side of things,” Ilves said during an April 2012 talk at the Center for Strategic and International Studies in Washington, D.C. “It’s the economy, stupid. It is intellectual property that is the real worry.”

For universities, the threat means strengthening security from the inside out. Where government or corporate organizations can put their strongest defenses on the network perimeter, universities recognize that their perimeters must remain “somewhat porous,” the Times reported. But sensitive information can be kept encrypted and in separate partitions within the network.

“It’s sort of the opposite of the corporate structure,” Paul Rivers, manager of system and network security at the University of California, Berkeley, told the Times. “We treat the overall Berkeley network as just as hostile as the Internet outside.”